RDS database instance should be encrypted
Description
Amazon RDS-encrypted database instances use the industry standard AES-256 encryption algorithm to encrypt your data on the server hosting your Amazon RDS DB instances. After your data is encrypted, Amazon RDS handles the authentication of access and decryption of your data transparently with a minimal impact on performance.
Rationale
With RDS encryption enabled, the data stored on the instance’s underlying storage, the automated backups, read replicas, and snapshots, are all encrypted.
From the console
Follow the Enabling Amazon RDS encryption for a DB instance documentation to ensure your database instances are encrypted.
From the command line
Run describe-db-instances with an instance identifier query to list RDS database names.
aws rds describe-db-instances \
--query 'DBInstances[*].DBInstanceIdentifier'
Run create-db-snapshot with any returned database instance you wish to modify.
aws rds create-db-snapshot \
--db-snapshot-identifier <insert-db-snapshot-id> \
--db-instance-identifier <insert-db-id>
Run list-aliases to list KMS keys aliases by region.
aws kms list-aliases \
--region <insert-region>
Run copy-db-snapshot with the kms-key-id returned in step 3.
aws rds copy-db-snapshot \
--region <insert-region> \
--source-db-snapshot-identifier <insert-original-db-snapshot-id> \
--target-db-snapshot-identifier <insert-encrypted-db-snapshot-id> \
--copy-tags \
--kms-key-id <insert-kms-key-id>
Run restore-db-instance-from-db-snapshot to restore the previously created snapshot.
aws rds restore-db-instance-from-db-snapshot \
--region <insert-region> \
--db-instance-identifier <insert-encrypted-db-id> \
--db-snapshot-identifier <insert-encrypted-db-snapshot-id>
Run describe-db-instances with a query to ensure database encryption.
aws rds describe-db-instances \
--region <insert-region> \
--db-instance-identifier <insert-encrypted-db-snapshot-id> \
--query 'DBInstances[*].StorageEncrypted'
